华为VPN技术

1. 启动设备

2. 配置IP地址

[FW1]int g1/0/0

[FW1-GigabitEthernet1/0/0]ip add 192.168.1.254 24

[FW1-GigabitEthernet1/0/0]int g1/0/1

[FW1-GigabitEthernet1/0/1]ip add 100.1.1.1 24

[FW1-GigabitEthernet1/0/1]service-manage ping permit

[FW2]int g1/0/0

[FW2-GigabitEthernet1/0/0]ip add 192.168.2.254 24

[FW2-GigabitEthernet1/0/0]int g1/0/1

[FW2-GigabitEthernet1/0/1]ip add 200.1.1.2 24

[FW2-GigabitEthernet1/0/1]service-manage ping permit

[AR1]int g0/0/0

[AR1-GigabitEthernet0/0/0]ip add 100.1.1.2 24

[AR1-GigabitEthernet0/0/0]int g0/0/1

[AR1-GigabitEthernet0/0/1]ip add 200.1.1.1 24

3. 配置Tunnel接口

[FW1]int Tunnel 0

[FW1-Tunnel0]ip add 172.16.1.1 24

[FW1-Tunnel0]tunnel-protocol gre

[FW1-Tunnel0]source 100.1.1.1

[FW1-Tunnel0]destination 200.1.1.2

[FW2]int Tunnel 0

[FW2-Tunnel0]ip add 172.16.1.2 24

[FW2-Tunnel0]tunnel-protocol gre

[FW2-Tunnel0]source 200.1.1.2

[FW2-Tunnel0]destination 100.1.1.1

4. 将防火墙接口加入指定区域

[FW1]firewall zone trust

[FW1-zone-trust]add int g1/0/0

[FW1-zone-trust]q

[FW1]firewall zone untrust

[FW1-zone-untrust]add int g1/0/1

[FW1-zone-untrust]add int Tunnel 0

[FW2]firewall zone trust

[FW2-zone-trust]add int g1/0/0

[FW2-zone-trust]q

[FW2]firewall zone untrust

[FW2-zone-untrust]add int g1/0/1

[FW2-zone-untrust]add int Tunnel 0

5. 配置OSPF

[FW1]ospf 1

[FW1-ospf-1]area 0

[FW1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255

[AR1]ospf 1

[AR1-ospf-1]area 0

[AR1-ospf-1-area-0.0.0.0]network 100.1.1.0 0.0.0.255

[AR1-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255

[FW2]ospf 1

[FW2-ospf-1]area 0

[FW2-ospf-1-area-0.0.0.0]network 200.1.1.0 0.0.0.255

6. 配置路由条目

[FW1]ip route-static 192.168.2.0 24 Tunnel 0

[FW2]ip route-static 192.168.1.0 24 Tunnel 0

7. 配置防火墙策略

[FW1]security-policy

[FW1-policy-security]rule name local-untrust

[FW1-policy-security-rule-local-untrust]source-zone local

[FW1-policy-security-rule-local-untrust]destination-zone untrust

[FW1-policy-security-rule-local-untrust]source-address 100.1.1.0 0.0.0.255

[FW1-policy-security-rule-local-untrust]destination-address 200.1.1.0 0.0.0.255

[FW1-policy-security-rule-local-untrust]action permit

[FW1-policy-security-rule-local-untrust]q

[FW1-policy-security]rule name untrust-local

[FW1-policy-security-rule-untrust-local]source-zone untrust

[FW1-policy-security-rule-untrust-local]destination-zone local

[FW1-policy-security-rule-untrust-local]source-address 200.1.1.0 0.0.0.255

[FW1-policy-security-rule-untrust-local]destination-address 100.1.1.0 0.0.0.255

[FW1-policy-security-rule-untrust-local]action permit

[FW1-policy-security-rule-untrust-local]q

[FW1-policy-security]rule name trust-untrust

[FW1-policy-security-rule-trust-untrust]source-zone trust

[FW1-policy-security-rule-trust-untrust]destination-zone untrust

[FW1-policy-security-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255

[FW1-policy-security-rule-trust-untrust]action permit

[FW1-policy-security-rule-trust-untrust]q

[FW1-policy-security]rule name untrust-trust

[FW1-policy-security-rule-untrust-trust]source-zone untrust

[FW1-policy-security-rule-untrust-trust]destination-zone trust

[FW1-policy-security-rule-untrust-trust]action permit

[FW2]security-policy

[FW2-policy-security]rule name untrust-local

[FW2-policy-security-rule-untrust-local]source-zone untrust

[FW2-policy-security-rule-untrust-local]destination-zone local

[FW2-policy-security-rule-untrust-local]action permit

[FW2-policy-security-rule-untrust-local]q

[FW2-policy-security]rule name local-untrust

[FW2-policy-security-rule-local-untrust]source-zone local

[FW2-policy-security-rule-local-untrust]destination-zone untrust

[FW2-policy-security-rule-local-untrust]action permit

[FW2-policy-security-rule-local-untrust]q

[FW2-policy-security]rule name trust-untrust

[FW2-policy-security-rule-trust-untrust]source-zone trust

[FW2-policy-security-rule-trust-untrust]destination-zone untrust

[FW2-policy-security-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255

[FW2-policy-security-rule-trust-untrust]action permit

[FW2-policy-security-rule-trust-untrust]q

[FW2-policy-security]rule name untrust-trust

[FW2-policy-security-rule-untrust-trust]source-zone untrust

[FW2-policy-security-rule-untrust-trust]destination-zone trust

[FW2-policy-security-rule-untrust-trust]source-address 192.168.1.0 0.0.0.255

[FW2-policy-security-rule-untrust-trust]action permit

8. 配置NAT策略

[FW1]nat-policy

[FW1-policy-nat]rule name trust-untrust

[FW1-policy-nat-rule-trust-untrust]source-zone trust

[FW1-policy-nat-rule-trust-untrust]destination-zone untrust

[FW1-policy-nat-rule-trust-untrust]source-address 192.168.1.0 0.0.0.255

[FW1-policy-nat-rule-trust-untrust]action source-nat easy-ip

[FW2]nat-policy

[FW2-policy-nat]rule name trust-untrust

[FW2-policy-nat-rule-trust-untrust]source-zone trust

[FW2-policy-nat-rule-trust-untrust]destination-zone untrust

[FW2-policy-nat-rule-trust-untrust]source-address 192.168.2.0 0.0.0.255

[FW2-policy-nat-rule-trust-untrust]action source-nat easy-ip

验证:

1.pc2ping 通pc1

2. 查看FW2防火墙会话表(看GRE协议的数据包走向)

3. 查看NAT地址转换(pc2ping100.1.1.1时,查看防火墙会话表,可以看到私网地址转换成200.1.1.2后访问100.1.1.1)

4. 抓FW2G1/0/1端口的包查看(GRE的端口是47)

相关推荐
虹科数字化与AR3 分钟前
安宝特应用 | 美国OSHA扩展Vuzix AR眼镜应用,强化劳动安全与效率
安全·ar·远程协助
_oP_i3 分钟前
.NET Core 项目配置到 Jenkins
运维·jenkins·.netcore
weixin_4373982111 分钟前
Linux扩展——shell编程
linux·运维·服务器·bash
小燚~13 分钟前
ubuntu开机进入initramfs状态
linux·运维·ubuntu
小林熬夜学编程20 分钟前
【Linux网络编程】第十四弹---构建功能丰富的HTTP服务器:从状态码处理到服务函数扩展
linux·运维·服务器·c语言·网络·c++·http
Hacker_Fuchen22 分钟前
天融信网络架构安全实践
网络·安全·架构
炫彩@之星24 分钟前
Windows和Linux安全配置和加固
linux·windows·安全·系统安全配置和加固
上海运维Q先生25 分钟前
面试题整理15----K8s常见的网络插件有哪些
运维·网络·kubernetes
hhhhhhh_hhhhhh_34 分钟前
ubuntu18.04连接不上网络问题
linux·运维·ubuntu
ProtonBase35 分钟前
如何从 0 到 1 ,打造全新一代分布式数据架构
java·网络·数据库·数据仓库·分布式·云原生·架构